Commerce Proposes Know-Your-Customer Rules for Cloud Providers
The Commerce Department is proposing new rules that could require U.S. cloud service providers and their foreign resellers to follow know-your-customer (KYC) requirements, a step the agency said would prevent those services from being used to aid cyberattacks and to train artificial intelligence models that threaten U.S. national security. The proposed regulations are specifically aimed at preventing “foreign malicious cyber actors” from using U.S. infrastructure-as-a-service products to steal American intellectual property and sensitive data, commit espionage, and train large AI models for cyberattacks on U.S. critical infrastructure.
“Today’s rule puts foreign malicious cyber actors on notice that we are taking action to prevent them from using our own cloud infrastructure to undermine our national security interests,” said Alan Estevez, undersecretary of the Bureau of Industry and Security. “Today’s proposed rule gives the Secretary of Commerce the tools she needs to address risks while maintaining the Department’s overall approach to national security: to innovate and do business wherever we can, and to protect what we must.” Public comments are due April 29.
The interim final rule, published Jan. 29, comes as the Biden administration increases efforts to prevent China from using sensitive U.S. technology for advanced AI applications, including by continually tightening export controls (see 2310170055). BIS officials have said they are searching for potential avenues to restrict China from using cloud computing services to access export-controlled technology (see 2401260051 and 2312080048).
The agency’s proposed KYC rules would require U.S. cloud service providers to “verify the identity of foreign persons that sign up for or maintain accounts that access or utilize” their services. Those providers and their foreign resellers would have to put in place “customer identification programs,” or CIPs, to collect certain “identifying information” about their customers, report that information to Commerce and maintain records.
That information could include, at a minimum, the customer's name, address, email addresses, telephone numbers and internet protocol addresses, and the means and source of payment, Commerce said. The agency said it plans to allow service providers to “create a CIP that matches [their] unique service offerings and customer bases,” and the agency wants the programs to be “flexible and minimally burdensome to their business operations.” Certain data collection requirements wouldn’t apply to customers with accounts opened by or on behalf of a U.S. person.
Providers and their resellers likely will have to comply with the new data collection rules within one year after a final rule is published. “The Department will consider allowing U.S. IaaS providers an adjustment period to implement some provisions of this proposed regulation and notify the Department accordingly,” the rule said.
Under the new rules, Commerce also would be able to impose two “special measures” to prevent U.S. service providers from aiding “malicious cyber actors.” Both would allow the agency to place restrictions on the “opening or maintaining of an account” with any U.S. cloud service provider, including for certain foreign people located in a foreign country that has a “significant number of foreign persons” using cloud service providers for malicious cyber activities. The rule proposes regulations for how Commerce would decide whether and how to impose these special measures.
Another proposal would require U.S. cloud service providers to report to Commerce whenever a foreign person “transacts” with that provider to “train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.” That report will need to include the identity of the foreign person, the “existence of any training run of an AI model” and more.
The rule includes a host of other proposals, including definitions for “foreign customer,” “foreign reseller” and a "large AI model" that could be used for malicious cyber activities. The agency is seeking comments on its proposed CIP and data collection requirements, recordkeeping rules, potential annual certifications to Commerce about CIPs, exemptions and more. Violators could be subject to civil or criminal penalties under the International Emergency Economic Powers Act.
The proposed regulations implement two executive orders: a 2021 order that called for new regulations to prevent cyberattacks, and another issued in October designed to strengthen U.S. defenses against dangerous uses of AI (see 2310300029).